This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Accenture Left AWS S3 Buckets Containing Cloud Credentials Open to Public

Accenture left four Amazon Web Services (AWS) S3 buckets open and downloadable to the public, containing software for its Accenture Cloud Platform enterprise cloud offering and other sensitive internal data, security researchers said today.

The unsecured AWS S3 buckets were discovered by UpGuard security researcher Chris Vickery on Sept. 17, 2017, and revealed “significant internal Accenture data, including cloud platform credentials and configurations.” Credentials for Accenture’s Google and Azure accounts also appeared to be stored in one of the buckets, which could have far-reaching consequences in the hands of a malicious actor.

The servers were secured the next day after UpGuard Director of Cyber Risk Research Vickery notified Accenture.

In a blog post on Tuesday, Vickery said that this exposure could have been prevented with a simple password requirement added to each bucket. His recommendation comes as a new survey by OneLogin finds that IT pros are failing to enforce password policies.

“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” Vickery said in a blog post. “It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”